If you haven't already seen it, it's worth a look – The Committee of Sponsoring Organizations of the Treadway Commission just published a thought paper dealing with risks related to cloud computing. It leverages off COSO's enterprise risk management framework, speaking specifically to issues surrounding hosted services delivered over the internet. The paper is geared not to the techie, but rather to management level personnel who need to understand not only the benefits, but also the associated risks. The paper briefly outlines the many benefits of cloud computing, including greater technology value at lower cost, faster speed of deployment, common technology platforms, reduced need for support personnel and related expenditures, and environmental benefits.

Naturally, most of the focus is on the risks. These include the strategic – with lower barriers of entry for new competitors and related challenge to current business models – and dependency on cloud service providers which in turn drives legal and related risks. Others include lack of transparency, reliability and performance issues, security and compliance concerns, and elevated risk of cyber attack or data leakage. The paper also deals with issues inherent in moving to the cloud, such as the extent to which management considers the impact on the company's organization and IT and other personnel resources, noting "In many cloud scenarios, the organization no longer has complete or direct control over technology and technology-related management processes. Management must determine if it has the risk appetite for the entire universe of potential events associated with a given cloud solution as some of these events extend beyond the organization's traditional borders and include some events that have an impact on the [cloud service provider(s)] supporting the organization."

The paper also discusses cloud issues in the context of COSO's ERM Framework's eight components, outlining how each can be addressed and used in evaluating cloud computing alternatives. It provides suggestions for dealing effectively with the more significant risks, and highlights key decisions to be made by senior management – as well as responsibilities of C-suite executives – and areas on which the board of directors needs to focus its attention. If your company is already in the cloud or considering going there, the paper is worth the read.

In case you were too busy watching your kids open their holiday presents you might have missed a “gift” for you – COSO’s updated internal control framework. During the holiday season the draft was exposed for public comment, so if you haven’t already done so, you might want to get your hands on it and tell COSO what you think, and how it might be further improved.

In looking over the draft you’ll see that the fundamental concepts and structure remain. The definition of internal control, the five components, and the COSO cube are unchanged. So are the three categories of objectives, except that the reporting category is expanded to include all reporting by an entity: financial and non-financial, internal and external. This brings the internal control framework in line with how the reporting category of objectives is defined in COSO’s Enterprise Risk Management—Integrated Framework issued in 2004. Another enhancement in the updated framework is inclusion of what are called “principles” and “attributes” of internal control. The initial framework implicitly reflected the core principles of internal control, whereas the updated version explicitly states the 17 principles, representing the fundamental concepts associated with the components of internal control. Supporting the principles are attributes, representing characteristics associated with the principles. Together the principles and attributes comprise criteria put forth to assist management in designing and developing systems of internal control and assessing its effectiveness.

Other enhancements include:

Emphasis on the increased relevance of technology, focusing on sophisticated, decentralized, and mobile applications involving multiple real-time activities that can cut across many systems, orga­nizations, processes, and technologies.

Expanded discussion on governance relating to the board of directors and committees, including audit, compensation, and nominating/gover­nance.

Enhanced focus on anti-fraud expectations, with expanded discussion on fraud and the relationship of fraud and internal control.

Reflection of the evolution of different business models and organizational structures, including use of external parties for providing products or services, the increasing competitive landscape, globalization, dynamic industry and technological changes, evolving business models, com­petition for talent, cost management, and other factors that have required man­agement to look beyond internal operations to access needed resources via a shared service model, outsourcing to an external party, spinoff, joint venture, or other approach.

You’ll see the term “ICEFR” (pronounced ice-eh-fer), which is the acronym for internal control over external financial reporting. Because of the importance of the internal control framework for reporting under such requirements as Sarbanes-Oxley, COSO decided to offer a separate guidance document highlighting how the framework can be effectively applied for that purpose. It’s organized around the five internal control components, containing approaches for and examples of their application, with direct linkage to the principles and attributes in the framework. It’s important to keep in mind that the ICEFR guidance is just that, guidance; it will neither replace nor modify the framework. It will be exposed for comment later on this spring.

Well, it’s a case of speak now, or…. If you’re involved in any way with internal control, you’ll want to provide your input on the document. By the way, I’m biased in a positive way – for full disclosure, I was the lead PwC project partner of the team that developed the original Framework, played a similar role with the COSO ERM framework, and advised the project team that developed this updated framework. But you may have different views, and it’s important to make them known. The comment period ends March 31.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.